+warwagon 9,647

Every now and then an antivirus company releases a definition update which brings Windows to its knees. ( Example: When Webroot recently released an update which locked people out of their windows 8 machines) The AV accidentally flags a crucial system file as malicious and deletes it. How does this happen? I realize there are 100,000?s of thousands of different windows applications which could accidentally be flagged, thus they can?t test each one, but windows?

I don?t know how they check each definition update, but to me it doesn?t sound that hard. Wouldn?t it be easy to setup a few quad core machines with 2+ SSD?s in raid 0. Then each computer would contain a different bare-bones version of windows, starting with a machine that has all the latest updates. Then before the update is released they scan each machine. Because the computer is a bare install and because it?s running on an SSD raid 0 setup, the scan should only take a few minutes. If they did this before they released each update I don?t see how they could accidentally release an update that kills thousands of machines.

Share on other sites

HawkMan 5,099

you have to scan windows XP, Vista, 7 and 8. on top of that, EACH individual update to windows have to be tested as well as some of them change system files, and while it won't break one windows 7 SP1 system, it could break another one that has a different set of updates applied.

Link to post

Share on other sites

+warwagon 9,647

NO: not hey don't check and AVG, Avira, Webroot and camp have all had issues several times where they have broken windows

YES: they generally test every update, unless it's McAffee or Panda or F-Prot which are all pretty terrible at checking. and also suffer from pretty bad coding and performance in general.

But the Free versions of the AV also use the same definitions of their paid counterparts. Example AVG free Vs AVG paid. ... I doubt even if that wasn't the case, that because they were giving it away for free that they wouldn't care to check.

Share this post

Link to post

Share on other sites

HawkMan 5,099

Or they could take the easier route and automatically white-list any application that is digitally signed by Microsoft. All Windows files are digitally signed by MS.

that's not how it works... AV scanners break windows because they falsely flag and remove system files. these need to be scanned as well.

But the Free versions of the AV also use the same definitions of their paid counterparts. Example AVG free Vs AVG paid. ... I doubt even if that wasn't the case, that because they were giving it away for free that they wouldn't care to check.

yeah, but AVG is horrible across the board. and they are able to give the free version away free because they don't spend as much resources on checking it.

you have to scan windows XP, Vista, 7 and 8. on top of that, EACH individual update to windows have to be tested as well as some of them change system files, and while it won't break one windows 7 SP1 system, it could break another one that has a different set of updates applied.

Using the digital signature check is a safe bet as any modification will result in the file no longer being signed...

that's not how it works... AV scanners break windows because they falsely flag and remove system files. these need to be scanned as well.

Well yes, right now they don't do it right hence the thread ;)

My point was a way they could stop breaking Windows with definition updates. There is no need to scan a Windows system file that has not changed and was published officially by Microsoft. They should save the resources and just skip scanning it altogether (I'm not talking about scanning the state of the application in memory, but the actual file on disk).

Share on other sites

+LogicalApex 1,745

No AV company is going to trust anyone elses security measures, it goes against their very purpose.

If they have problems with the way Digital Signatures work in Windows it would be beneficial to everyone if they publicized the problem and encouraged Microsoft to fix them.

If they are truly as scared as you claim then they should, at least, SHA256 hash all of the Windows files and compare against those to see if the content has changed. The point is, they need to whitelist the OS and report any security problems in unaltered OS files to Microsoft directly. They can't remove Windows security vulnerabilities and just removing a core OS file could lead to users being unable to use their machines. To me, killing a user's computer is a stupid end result for these products.

Recently i have come across infections that are able to look digitally signed, so that would automatically see them as clean

Yes, there are ways to try and spoof the name of the company signing the file to look at like like "Microsoft Corporation" or whatever, but the AV company should be using Microsoft's public key to compare against and not the name displayed to the user. A scammer can fake the name and anything else, but he can't fake the Microsoft public key without having the corresponding private key. This hasn't yet been cracked as the foundation for this is what all of our eCommerce transactions (and more) depend on daily to remain safe.

Share this post

Link to post

Share on other sites

HawkMan 5,099

The point isn't how secure thir digital signatures is. the point is that they are AV companies and their livelihood is guaranteeing security. No matter how secure another system is, they cannot trust someone elses systems to be secure, they need to scan everything for infections

Look at the past history of security and how much worse a lot of infections would have been if every security company and AV company where to trust others security systems to be secure.

Share this post

Link to post

Share on other sites

Astra.Xtreme 2,081

Astra.Xtreme 2,081

The point isn't how secure thir digital signatures is. the point is that they are AV companies and their livelihood is guaranteeing security. No matter how secure another system is, they cannot trust someone elses systems to be secure, they need to scan everything for infections

Look at the past history of security and how much worse a lot of infections would have been if every security company and AV company where to trust others security systems to be secure.

You don't seem to understand what he's saying. A file signed by Microsoft will not be of any sort of security concern. Microsoft isn't going to slipstream a virus into it's OS, so there's no point at all in scanning those core files. It's a waste of time and it leaves the door open for critical mistakes. As was already said, scan the state in memory or the hash, and that's all that will ever be needed.

Share this post

Link to post

Share on other sites

HawkMan 5,099

Give me an example in the case of Microsoft and signed files. We are talking about Microsoft and not the security of 3rd party applcations.

The example doesn't have to be specifically about MS and signed files.

you're still asking a company who's primary job it is to provide security to lay their trust in a third party and not go all the way in providing security.

Imagine if big security firms when hired for huge contracts went ahead and just said "ok so you already installed door locks and alarms yourself ? ok, we'll just trust that those locks and alarms work fine, and provide you with some guards in case something should happen." Think about it.

The signed files may and probably is fine and would prevent any undetected changes, BUT the AV company CANNOT guarantee that, they CANNOT trust that.

Share this post

Link to post

Share on other sites

xWhiplash 351

The example doesn't have to be specifically about MS and signed files.

you're still asking a company who's primary job it is to provide security to lay their trust in a third party and not go all the way in providing security.

Imagine if big security firms when hired for huge contracts went ahead and just said "ok so you already installed door locks and alarms yourself ? ok, we'll just trust that those locks and alarms work fine, and provide you with some guards in case something should happen." Think about it.

The signed files may and probably is fine and would prevent any undetected changes, BUT the AV company CANNOT guarantee that, they CANNOT trust that.

But no AV program is 100% successful anyway, so they cannot really guarantee that your system is 100% perfectly clean.

Share this post

Link to post

Share on other sites

Astra.Xtreme 2,081

The example doesn't have to be specifically about MS and signed files.

you're still asking a company who's primary job it is to provide security to lay their trust in a third party and not go all the way in providing security.

Imagine if big security firms when hired for huge contracts went ahead and just said "ok so you already installed door locks and alarms yourself ? ok, we'll just trust that those locks and alarms work fine, and provide you with some guards in case something should happen." Think about it.

The signed files may and probably is fine and would prevent any undetected changes, BUT the AV company CANNOT guarantee that, they CANNOT trust that.

Again, you're missing the context here. We are talking about files signed by Microsoft. Unless there is a disgruntled employee writing Windows, there is a 0% chance a stock Microsoft signed file will be infected with something. I see no reason why Microsoft couldn't be trusted for publishing clean files in their OS. There's no logic in believing this would be a security risk. Scanning these files only adds unnecessary reliability risks.